Channels

Services

BIND 9.9.2 closes IPv6 security hole

Updates for the current version, 9.9.2, and the older 9.8.4 version of the widely used, free BIND DNS server have now become available. They close a security hole that enabled attackers to crash the daemon. All versions of BIND that use the DNS64 option, which was introduced in version 9.8, are affected.

The problem appears to have been caused by a flaw in the implementation of this option; the flaw allows attackers to crash the server with specially crafted requests. DNS64 enables IPv6 computers to communicate with IPv4 machines via an address translator (NAT64). The option is intended for recursive servers. Those who don't use it are not affected by the now corrected bug – everyone else should either disable DNS64 or install the new version.

The release notes from the developers, ISC, are rather confusing. On the one hand, they state that BIND 9.9.2-P1 is a security release that supersedes version 9.9.2 of BIND. However, the next sentence explains that the passage that follows lists the differences to the next earlier version, BIND 9.9.1 – and therefore includes all new features that were already available in 9.9.2. Comparing with the 9.9.2 release notes reveals that the DNS64 fix (CVE-2012-5688) is the only change made in the -P1 release. The notes also point out that the fix is "a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3" which are as yet unreleased versions of BIND.

The ISC-licensed BIND 9.9.2-P1 and 9.8.4-P1 are available to download from the ISC web site as source code or Windows binaries.